lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20191004122120.GP3431@localhost.localdomain>
Date:   Fri, 4 Oct 2019 09:21:20 -0300
From:   Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To:     Eric Biggers <ebiggers@...nel.org>
Cc:     Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
        linux-sctp@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com,
        Catalin Marinas <catalin.marinas@....com>,
        Kent Overstreet <kent.overstreet@...il.com>,
        Vlad Yasevich <vyasevich@...il.com>,
        Xin Long <lucien.xin@...il.com>,
        Neil Horman <nhorman@...driver.com>
Subject: Re: [PATCH] lib/generic-radix-tree.c: add kmemleak annotations

On Thu, Oct 03, 2019 at 11:50:39PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@...gle.com>
> 
> Kmemleak is falsely reporting a leak of the slab allocation in
> sctp_stream_init_ext():
> 
> BUG: memory leak
> unreferenced object 0xffff8881114f5d80 (size 96):
>    comm "syz-executor934", pid 7160, jiffies 4294993058 (age 31.950s)
>    hex dump (first 32 bytes):
>      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>    backtrace:
>      [<00000000ce7a1326>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
>      [<00000000ce7a1326>] slab_post_alloc_hook mm/slab.h:439 [inline]
>      [<00000000ce7a1326>] slab_alloc mm/slab.c:3326 [inline]
>      [<00000000ce7a1326>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
>      [<000000007abb7ac9>] kmalloc include/linux/slab.h:547 [inline]
>      [<000000007abb7ac9>] kzalloc include/linux/slab.h:742 [inline]
>      [<000000007abb7ac9>] sctp_stream_init_ext+0x2b/0xa0  net/sctp/stream.c:157
>      [<0000000048ecb9c1>] sctp_sendmsg_to_asoc+0x946/0xa00  net/sctp/socket.c:1882
>      [<000000004483ca2b>] sctp_sendmsg+0x2a8/0x990 net/sctp/socket.c:2102
>      [...]
> 
> But it's freed later.  Kmemleak misses the allocation because its
> pointer is stored in the generic radix tree sctp_stream::out, and the
> generic radix tree uses raw pages which aren't tracked by kmemleak.
> 
> Fix this by adding the kmemleak hooks to the generic radix tree code.

Nice, thanks Eric.

Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>

> 
> Reported-by: syzbot+7f3b6b106be8dcdcdeec@...kaller.appspotmail.com
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
> ---
>  lib/generic-radix-tree.c | 32 ++++++++++++++++++++++++++------
>  1 file changed, 26 insertions(+), 6 deletions(-)
> 
> diff --git a/lib/generic-radix-tree.c b/lib/generic-radix-tree.c
> index ae25e2fa2187..f25eb111c051 100644
> --- a/lib/generic-radix-tree.c
> +++ b/lib/generic-radix-tree.c
> @@ -2,6 +2,7 @@
>  #include <linux/export.h>
>  #include <linux/generic-radix-tree.h>
>  #include <linux/gfp.h>
> +#include <linux/kmemleak.h>
>  
>  #define GENRADIX_ARY		(PAGE_SIZE / sizeof(struct genradix_node *))
>  #define GENRADIX_ARY_SHIFT	ilog2(GENRADIX_ARY)
> @@ -75,6 +76,27 @@ void *__genradix_ptr(struct __genradix *radix, size_t offset)
>  }
>  EXPORT_SYMBOL(__genradix_ptr);
>  
> +static inline struct genradix_node *genradix_alloc_node(gfp_t gfp_mask)
> +{
> +	struct genradix_node *node;
> +
> +	node = (struct genradix_node *)__get_free_page(gfp_mask|__GFP_ZERO);
> +
> +	/*
> +	 * We're using pages (not slab allocations) directly for kernel data
> +	 * structures, so we need to explicitly inform kmemleak of them in order
> +	 * to avoid false positive memory leak reports.
> +	 */
> +	kmemleak_alloc(node, PAGE_SIZE, 1, gfp_mask);
> +	return node;
> +}
> +
> +static inline void genradix_free_node(struct genradix_node *node)
> +{
> +	kmemleak_free(node);
> +	free_page((unsigned long)node);
> +}
> +
>  /*
>   * Returns pointer to the specified byte @offset within @radix, allocating it if
>   * necessary - newly allocated slots are always zeroed out:
> @@ -97,8 +119,7 @@ void *__genradix_ptr_alloc(struct __genradix *radix, size_t offset,
>  			break;
>  
>  		if (!new_node) {
> -			new_node = (void *)
> -				__get_free_page(gfp_mask|__GFP_ZERO);
> +			new_node = genradix_alloc_node(gfp_mask);
>  			if (!new_node)
>  				return NULL;
>  		}
> @@ -121,8 +142,7 @@ void *__genradix_ptr_alloc(struct __genradix *radix, size_t offset,
>  		n = READ_ONCE(*p);
>  		if (!n) {
>  			if (!new_node) {
> -				new_node = (void *)
> -					__get_free_page(gfp_mask|__GFP_ZERO);
> +				new_node = genradix_alloc_node(gfp_mask);
>  				if (!new_node)
>  					return NULL;
>  			}
> @@ -133,7 +153,7 @@ void *__genradix_ptr_alloc(struct __genradix *radix, size_t offset,
>  	}
>  
>  	if (new_node)
> -		free_page((unsigned long) new_node);
> +		genradix_free_node(new_node);
>  
>  	return &n->data[offset];
>  }
> @@ -191,7 +211,7 @@ static void genradix_free_recurse(struct genradix_node *n, unsigned level)
>  				genradix_free_recurse(n->children[i], level - 1);
>  	}
>  
> -	free_page((unsigned long) n);
> +	genradix_free_node(n);
>  }
>  
>  int __genradix_prealloc(struct __genradix *radix, size_t size,
> -- 
> 2.23.0
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ